Configure internet access for workload VMs
You configure the internet access network service for VMware workloads in Google Cloud VMware Engine on a per-region basis. You can direct internet-bound traffic from your workload VMs by using Google Cloud's internet edge or an on-premises connection.
Workload VMs that can access the internet can also access Google Cloud services using Private Google Access. Access to Google Cloud services using Private Google Access stays within Google Cloud networks and does not exit to the internet.
The internet access network service supports the following:
- Up to 100 public IP addresses for each region
- Up to 300 firewall rules per firewall table
- Throughput of up to 2 Gbps across 128k concurrent connections for each region
- TCP, UDP, and ICMP protocols
The internet access network service doesn't support Application Level Gateway (ALG) capability.
Before you begin
To make changes to the internet access settings of your private cloud, you must have admin access to VMware Engine.
To enable internet access, you need an edge services CIDR address range. When you enable the internet access or public IP network services, gateways deploy in the service tenant context.
Use the edge services CIDR address range for addressing VMware Engine internet and public IP gateways. The address range must meet the following requirements:
- Comply with RFC 1918 as a private range.
- Have no overlap with any other VMware Engine address ranges, such as the address range used for management appliances or NSX segments.
- Have no overlap with any address ranges being advertised to VMware Engine, such as those used for Virtual Private Cloud (VPC) network subnets or on-premises networks.
- Dedicate an IP address range with 26 subnet mask bits (/26).
Google Cloud CLI and API requirements
To use the gcloud command line tool or the API to manage your VMware Engine
resources, we recommend configuring the tools as described below.
gcloud
- Set your default project ID: - gcloud config set project PROJECT_ID 
- Set a default region and zone: - gcloud config set compute/region REGION - gcloud config set compute/zone ZONE 
For more information on the gcloud vmware tool,
see the Cloud SDK reference docs.
API
API examples in this documentation set use the cURL command-line tool to
query the API. A valid access token is required as part of the cURL
request. There are many ways to get a valid access token; the following
steps use the gcloud tool to generate a access token:
- Login to Google Cloud: - gcloud auth login 
- Generate access token and export to TOKEN: - export TOKEN=`gcloud auth print-access-token` 
- Verify that TOKEN is set properly: - echo $TOKEN 
Now, use the authorization token in your requests to the API. For example:
curl -X GET -H "Authorization: Bearer \"$TOKEN\"" -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations
Python
Python code samples in this documentation use the VMware Engine library to communicate with the API. To be able to use this approach, the library needs to be installed and the Application Default Credentials should be configured.
- Download and install the Python library: - pip install google-cloud-vmwareengine 
- Configure the ADC information by executing those command in your shell: - gcloud auth application-default login - Or, use a Service Account key file: - export GOOGLE_APPLICATION_CREDENTIALS="FILE_PATH" 
For more information about the library, visit the reference page or view code samples on GitHub.
Configure the internet access service
You can allow your workload VMs to have access to the internet by creating or update a network policy.
By default, the internet access network service is disabled.
Enable the internet access service in a region
Console
To enable the internet access service in a region, do the following:
- In the Google Cloud console, go to the Network policies page. 
- Click Select a project and then select the organization, folder, or project that contains the VMware Engine network you want to enable the internet access service for. 
- Click Create to create a new policy. If you want to edit an existing network policy, click the More icon at the end of a row and select Edit. 
- Fill out the details of your network policy, including choosing the network and region that the policy applies to. 
- Toggle Internet access to Enabled and, optionally, enable External IP address service. 
- In the Edge Services CIDR field, enter the address range to use when addressing the VMware Engine internet gateway (/26 address range). 
- Click Create. 
The status for the service changes to Enabled when the operation is complete, usually after several minutes.
gcloud
Using the gcloud tool, run the following command to create a network policy:
gcloud vmware network-policies create NETWORK_POLICY_NAME \
    --vmware-engine-network projects/PROJECT_ID/locations/LOCATIONS/vmwareEngineNetworks/NETWORK_ID \
    --edge-services-cidr=IP_RANGE \
    --location=LOCATION \
    --internet-accessReplace the following:
- NETWORK_POLICY_NAME: the name for this network policy.
- NETWORK_ID: the network this network policy applies to
- IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required.
- LOCATION:- globalfor legacy networks or the region of a standard network
API
curl -X POST -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies?networkPolicyId=NETWORK_POLICY_NAME
'{
  "vmwareEngineNetwork":"projects/PROJECT_ID/locations/LOCATION/vmwareEngineNetworks/NETWORK_ID",
  "edgeServiceCidr":IP_RANGE,
  "internetAccess: {
    "enabled": true
   },
   "externalIp": {
     "enabled": true
   }
}"
Replace the following:
- NETWORK_POLICY_NAME: the name for this network policy. This must be in the format- REGION-default.
- PROJECT_ID: the project ID for this request
- LOCATION:- globalfor legacy networks or the region of a standard network
- IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required.
- NETWORK_ID: the network for this this network policy
Python
Guidelines for HCX Mobility Optimized Networking (MON)
When configuring Internet access for VMs migrated using HCX with Mobility Optimized Networking (MON), a specific routing configuration is required to ensure connectivity.
For Layer 2 Extension (L2E) segments that have been enabled with MON, the migrated VMs won't automatically have their routes advertised to the VMware Engine internet service. To ensure these VMs can access the Internet, you must perform the following action:
- Enable static route redistribution to BGP at the Tier-1 router.
This manual step is critical to advertise the routes of your MON-enabled segments, allowing them to route Internet traffic through the VMware Engine environment. Without this configuration, VMs on these segments won't be able to access the public Internet.
Disable the internet access service in a region
To disable the internet access service in a region, do the following:
Console
- In the Google Cloud console, go to the Network policies page. 
- Click Select a project and then select the organization, folder, or project that contains the VMware Engine network you want to disable the internet access service for. 
- In the row corresponding to the relevant network policy, click the More icon. 
- Toggle Internet access to Disabled. - You must disable public IP service before you can disable internet access.
- You must delete any allocated public IP addresses and point-to-site VPN gateways before you can disable public IP service.
 
- Click Save. 
The status for the service changes to Disabled when the operation is complete, usually after several minutes.
gcloud
Using the gcloud tool, run the following command to update network policy:
gcloud vmware network-policies update NETWORK_POLICY_NAME \ --no-internet-access \ --location LOCATION
Replace the following:
- NETWORK_POLICY_NAME: the name for this network policy
- LOCATION:- globalfor legacy networks or the region of a standard network
API
curl -X PATCH -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies/NETWORK_POLICY_NAME?updateMask=internetAccess.enabled,externalIp.enabled -d "{
  "internetAccess: {
    "enabled": false
 },
  "externalIp": {
    "enabled": false
   }
}"
Replace the following:
- PROJECT_ID: the project ID for this request
- LOCATION:- globalfor legacy networks or the region of a standard network
- NETWORK_POLICY_NAME: the name for this network policy
Python
Use an on-premises connection for workload internet access
You can optionally direct internet-bound traffic from your workload VMs in VMware Engine through an on-premises connection. Traffic is directed based on the state of the following:
- Default route (0.0.0.0/0) advertisement from on-premises
- VMware Engine public IP service
- VMware Engine internet access service
- VPC Service Controls on the VPC peering connection between your VPC network and VMware Engine
Enable routing internet traffic through an on-premises connection
To access the internet from your workload VMs through an on-premises connection, you must complete two steps:
- Advertise the default route (0.0.0.0/0) from on-premises over an on-premises connection (Cloud VPN or Cloud Interconnect). Check the Cloud VPN gateway or Cloud Router where the on-premises connection to your VPN terminates.
- Disable the internet access and public IP service for the VMware Engine network.
Console
- In the Google Cloud console, go to the Network policies page. 
- Click Select a project and then select the organization, folder, or project that contains the VMware Engine network you want to enable the internet access service for. 
- In the row corresponding to the relevant network policy, click the More icon. 
- Toggle Public IP to Disabled. 
- Toggle Internet access to Disabled. 
- Click Save. 
- If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the - gcloud services vpc-peerings enable-vpc-service-controlscommand:- gcloud services vpc-peerings enable-vpc-service-controls \ --network=VPC_NETWORK \ --service=servicenetworking.googleapis.com 
gcloud
Using the gcloud tool, run the following command to update network policy:
gcloud vmware network-policies update NETWORK_POLICY_NAME \ --no-internet-access \ --no-external-ip-address \ --location LOCATION
Replace the following:
- NETWORK_POLICY_NAME: the name for this network policy
- LOCATION:- globalfor legacy networks or the region of a standard network
If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your
   VPC network and VMware Engine using the
   gcloud services vpc-peerings enable-vpc-service-controls command:
gcloud services vpc-peerings enable-vpc-service-controls \ --network=VPC_NETWORK \ --service=servicenetworking.googleapis.com
API
curl -X PATCH -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies/NETWORK_POLICY_NAME?updateMask=internetAccess.enabled,externalIp.enabled
"{
  "internetAccess: {
    "enabled": false
   },
  "externalIp: {
    "enabled": false
   }
}"
If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your
   VPC network and VMware Engine using the
   gcloud services vpc-peerings enable-vpc-service-controls command:
gcloud services vpc-peerings enable-vpc-service-controls \ --network=VPC_NETWORK_NAME \ --service=servicenetworking.googleapis.com
Python
Set the internet_access and external_ip to False.
If using a Legacy VMware Engine network: enable VPC service controls on the VPC peering connection between your
   VPC network and VMware Engine using the
   gcloud services vpc-peerings enable-vpc-service-controls command:
gcloud services vpc-peerings enable-vpc-service-controls \ --network=VPC_NETWORK \ --service=servicenetworking.googleapis.com
Enabling VPC Service Controls is essential for routing internet traffic through either an on-premises connection or VPC in your project.
When VPC Service Controls are enabled, Google Cloud makes the following routing changes in the service producer VPC network (in this case, the service tenant project peered with VMware Engine):
- Removes the IPv4 default route (destination 0.0.0.0/0, next hop default internet gateway).
- Begins forwarding internet traffic using the VPC peering default route.
Example:
To enable VPC Service Controls for a connection peering a network named "my-network" on the current project, use the gcloud services vpc-peerings enable-vpc-service-controls command:
gcloud services vpc-peerings enable-vpc-service-controls \
    --network=my-network \
    --service=servicenetworking.googleapis.comDisable routing internet traffic through an on-premises connection
To disable routing internet traffic from your workload VMs through an
on-premises connection, stop advertising the default route (0.0.0.0/0) and
disable VPC Service Controls on the VPC peering connection.
If using a Legacy VMware Engine network: disable VPC Service Controls on the VPC peering connection between your
VPC network and VMware Engine, use the
gcloud services vpc-peerings disable-vpc-service-controls command:
gcloud services vpc-peerings disable-vpc-service-controls \
    --network=VPC_NETWORK_NAME \
    --service=servicenetworking.googleapis.comWhat's next
- Learn how to allocate a public IP address for a VM in your private cloud.
- Learn how firewall tables and firewall rules filter network traffic to and from private cloud resources.